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Abstract. This paper is a written version of a one hour lecture 
on Peter Shor's quantum factoring algorithm. It is based on Q 
§, and (l| . 
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1. Preamble to Shor's algorithm 
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There are cryptographic systems (such as RSA[]) that are extensively 
used today (e.g., in the banking industry) which are based on the following 
questionable assumption, i.e., conjecture: 

Conjecture (Assumption). Integer factoring is computationally much 
harder than integer multiplication. In other words, while there are obviously 
many polynomial time algorithms for integer multiplication, there are no 
polynomial time algorithms for integer factoring. I.e., integer factoring 
computationally requires super-polynomial time. 

This assumption is based on the fact that, in spite of the intensive efforts 
over many centuries of the best minds to find a polynomial time factoring 
algorithm, no one has succeeded so far. As of this writing, the most asymp- 



totically efficient classical algorithm is the number theoretic sieve [10|, [11], 



which factors an integer N in time O (^exp (lgiV) ' (lglgiV) ' J. Thus, 

this is a super-polynomial time algorithm in the number O (lg N) of digits 
in N. 



However, ... Peter Shor suddenly changed the rules of the game. 

Hidden in the above conjecture is the unstated, but implicitly understood, 
assumption that all algorithms run on computers based on the principles of 
classical mechanics, i.e., on classical computers. But what if a computer 
could be built that is based not only on classical mechanics, but on quantum 
mechanics as well? I.e., what if we could build a quantum computer? 

Shor, starting from the works of Benioff, Bennett, Deutsch , Feynman, 
Simon, and others, created an algorithm to be run on a quantum com- 
puter, i.e., a quantum algorithm, that factors integers in polynomial time! 

Shor's algorithm takes asymptotically O ^(lg N) 2 (lg lg N) (lglglgiV)^ steps 
on a quantum computer, which is polynomial time in the number of digits 
O(lgiV) of N. 



2. Number theoretic preliminaries 



Since the time of Euclid, it has been known that every positive integer N 
can be uniquely (up to order) factored into the product of primes. Moreover, 

*RSA is a public key cryptographic system invented by Rivest, Shamir, Adleman. 
Hence the name. For more information, please refer to WJt. 
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it is a computationally easy (polynomial time) task to determine whether or 
not N is a prime or composite number. For the primality testing algorithm 



of Miller-Rabin [14] makes such a determination at the cost of 0(s\gN) 
arithmetic operations [O (s lg 3 iV) bit operations] with probability of error 

ProbError < 2~ s . 

However, once an odd positive integer N is known to be composite, it does 
not appear to be an easy (polynomial time) task on a classical computer to 
determine its prime factors. As mentioned earlier, so far the most asymptot- 
ically efficient classical algorithm known is the number theoretic sieve [1C], 

[|lTJ , which factors an integer N in time O (exp (lgiV) 1/3 (lg lg A^) 2/3 ) . 

Prime Factorization Problem. Given a composite odd positive integer 
N , find its prime factors. 



It is well known J14| that factoring N can be reduced to the task of choosing 
at random an integer m relatively prime to N, and then determining its 
modulo N multiplicative order P, i.e., to finding the smallest positive integer 
P such that 



m 



p = 1 mod N 



It was precisely this approach to factoring that enabled Shor to construct 
his factoring algorithm. 



3. Overview of Shor's algorithm 



But what is Shor's quantum factoring algorithm? 



Let N = {0, 1, 2, 3, . . . } denote the set of natural numbers. 



Shor's algorithm provides a solution to the above problem. His algorithm 
consists of the five steps (steps 1 through 5), with only STEP 2 requiring 
the use of a quantum computer. The remaining four other steps of the 
algorithm are to be performed on a classical computer. 

We begin by briefly describing all five steps. After that, we will then 
focus in on the quantum part of the algorithm, i.e., STEP 2. 
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Step 1. 



Choose a random positive integer m. Use the polynomial time Eu- 
clidean algorithm^ to compute the greatest common divisor gcd (m, N) 
of m and N. If the greatest common divisor gcd (in, N) ^ 1, then we 
have found a non-trivial factor of N, and we are done. If, on the other 
hand, gcd (m, N) = 1, then proceed to STEP 2. 



STEP 2. 



Use a quantum computer to determine the unknown period P of 
the function 

fN 



N 
a 



N 

m a mod N 



Step 3. If P is an odd integer, then goto Step 1. [The probability of P being 
odd is 



, , where k is the number of distinct prime factors of N.] 
P is even, then proceed to Step 4. 



If 



Step 4. Since P is even, 

Pft-l) ( m p / 2 + 1 



in 



m 



p - 1 = OmodA^ . 



If m p / 2 + 1 = OmodiV, then goto Step 1. If m p / 2 + 1 / OmodiV, 
then proceed to Step 5. It can be shown that the probability that 
m p l 2 + 1 = OmodA^ is less than where k denotes the number 

of distinct prime factors of N. 



Step 5. Use the Euclidean algorithm to compute d = gcd {m p l 2 — 1, N) . Since 

m p / 2 + l / mod N, it can easily be shown that d is a non-trivial factor 
of N. Exit with the answer d. 



Thus, the task of factoring an odd positive integer ./V reduces to the 
following problem: 

Problem. Given a periodic function 

/:N— »N, 

find the period P of f. 



2 The Euclidean algorithm is O (lg 2 N) . For a description of the Euclidean algorithm, 
see for example Q or 
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4. Preparations for the quantum part of Shor's algorithm 



Choose a power of 2 

Q = 2 L 

such that 

N 2 <Q = 2 L < 2N 2 , 
and consider / restricted to the set 

S Q = {0,1,... ,Q-1} 
which we also denote by /, i.e., 

/ : Sq ► Sq . 

In preparation for a discussion of STEP 2 of Shor's algorithm, we con- 
struct two L-qubit quantum registers, REGISTERl and REGISTER2 to hold 
respectively the arguments and the values of the function /, i.e., 

|Reg1) |Reg2) = |o) |/(o)) = \a) \b) = \a ai ■ ■ ■ a L -i) Mi ■ ■ ■ b L -i) 

In doing so, we have adopted the following convention for representing 
integers in these registers: 

Notation Convention. In a quantum computer, we represent an integer 
a with radix 2 representation 

L-l 
3=0 

as a quantum register consisting of the 2 n qubits 

L-l 

| a) = |a ai • • • a L -i) = (^) \a 3 ) 

j=o 

For example, the integer 23 is represented in our quantum computer as n 
qubits in the state: 

|23) = 110111000- • • 0> 

Before continuing, we remind the reader of the classical definition of the 
Q-point Fourier transform. 
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Definition 1. Let uo be a primitive Q-th root of unity, e.g., u = e 2m ^ . 
Then the Q -point Fourier transform is the map 

Map(S Q ,C) Map(S Q ,C) 
[f:S Q ^C]^[f:S Q 
where 

f(y) = 4r E 

We implement the Fourier transform Jasa unitary transformation, which 
in the standard basis 

|0),|1),... ,|Q-1) 
is given by the Q x Q unitary matrix 

t 1 ■ - 



JQ 

This unitary transformation can be factored into the product of O (lg 2 Q) 
O (lg 2 N) sufficiently local unitary transformations. (See |15[ |, ||.) 



5. The quantum part of Shor's algorithm 
The quantum part of Shor's algorithm, i.e., STEP 2, is the following: 



STEP 2.0 | Initialize registers 1 and 2, i.e., 

|V?o) = |Reg1) |Reg2) = |0> |0) = |00 • • • 0) |0 • • • 0) 



STEP 2.1 1 QApply the Q-point Fourier transform T to RegisterI. 



1 Q-i 1 Q-i 

\tM = io) |o) m ^ = ^E \ x ) i°> = to E i*> i°> 



Remark 1. Hence, RegisterI now ZioZds oZZ the integers 

0,1,2,... ,Q-1 

in superposition. 



3 In this step we could have instead applied the Hadamard transform to RegisterI 
with the same result, but at the computational cost of O (lg N) sufficiently local unitary 
transformations. The term sufficiently local unitary transformationis defined in the last 
part of section 7.7 of M. 
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STEP 2.2 | Let Uf be the unitary transformation that takes \x) |0) to \x) \f(x)). 

Apply the linear transformation Uf to the two registers. The result 
is: 

Q-i Q-i 

l^i> = ~m E l*> 1°) ^ 1^) = to E l*> !/(*)> 

* a;=0 * i=0 



Remark 2. The state of the two registers is now more than a superposition 
of states. In this step, we have quantum entangled the two registers. 



STEP 2.3. Apply the Q-point Fourier transform T to RegI. The resulting state 
is: 

Q-l Q-lQ-1 

iv> 2 > = ^ !>>!/(*)> m iv>3> = ^£E^iy> !/(*)> 

x=0 x=0 y=0 

Q-l 



iEiii T (y))ii-i^TO> 

y=o 



where 

Q-l 

\T(y)) = ^ xy \f(x)). 



x=0 



rEP 2.4. Measure RegI, i.e., perform a measurement with respect to the or- 
thogonal projections 

|0)<0|®J, |1><1|®/, |2)<2|®/, ... , |Q-1)(Q-1|® J, 

where I denotes the identity operator on the Hilbert space of the second 
register Reg2. 

As a result of this measurement, we have, with probability 

Prob(y ) = — 2 , 

moved to the state 

|TM> 



|yo) 



|TM)|| 
and measured the value 

y £ {0,1,2,... ,Q-1} . 
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If after this computation, we ignore the two registers RegI and Reg2, we 
see that what we have created is nothing more than a classical probability 
distribution S on the sample space 

{0,1,2,... ,Q-l} . 

In other words, the sole purpose of executing STEPS 2.1 to 2.4 is to create 
a classical finite memoryless stochastic source S which outputs a symbol 
Do G {0, 1,2,... , Q — 1} with the probability 



Prob(y ) = 




(For more details, please refer to section 8.1 of [jT^] -) 



As we shall see, the objective of the remander of Shor's algorithm is to 
glean information about the period P of / from the just created stochastic 
source S. The stochastic source was created exactly for that reason. 



6. Peter Shor's stochastic source S 



Before continuing to the final part of Shor's algorithm, we need to analyze 
the probability distribution Prob (y) a little more carefully. 



Proposition 1. Let q and r be the unique non-negative integers such that 
Q = Pq + r , where < r < P ; and let Qq = Pq. Then 



Prob (y) 



i 2 (^-(^+i))+(^-^(^.Qa) 



r{Qo+P? + {P-r)Ql 
WP 1 



if Py /OmodQ 
if Py = mod Q 



A LECTURE ON SHOR'S FACTORING ALGORITHM 



Proof. We begin by deriving a more usable expression for |T(y)). 
Q-i Qo-i 0-1 

\T( y )) = j2" xy \f( x ))=Y, ujXy \f( x » + Y, ujXy \f( x » 



x=0 



P-l^-l r-1 r f Q \ 1 

£ £ w (P*i+*o)y| / ( Pxi+a;o )) + ^ w i P i^ +:E( ^|/(p Xl+Xo )) 



a;=0 



x=Qo 



xo=0 xi=0 

P-l 

xo=0 



( Qo 
p 



x =0 



r-1 



E^ 1 I |/(x ))+E^ 02/ -^ W l/( s o)> 

\ 



xi =0 



xo=0 



r-1 / \ P-l / — 

5^w xo » • ^2uj p y xi I |/(x )) + 5^w xo » • 

xq=0 \ a;i=0 



Qo. 



xo=r \ =0 

where we have used the fact that / is periodic of period P. 



l/(*o)> 



Since / is one-to-one when restricted to its period 0, 1,2, . . . , P — 1, all 
the kets 

|/(0)), |/(1)), |/(2)), ... , |/(P-1)>, 
are mutually orthogonal. Hence, 





Qo 


2 


Qo_ 1 


<T(y) | T(y)) = r 




+ (P - r) 






xi=0 




X! =0 



If Py = OmodQ, then since to is a Q-th root of unity, we have 
(%)|T(y))=r(^ + l) 2 + (P-r) * 



On the other hand, if Py / OmodQ, then we can sum the geometric 
series to obtain 



TO) | T(j/)> = r 



Jy{^) - 1 



+ (P-r)) 



a; 



^ _ i 



= r 



2ss.p r (ai + , 



)-i 



2tti 

e « ' 



- 1 



+ (P-r)) 



- 1 
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where we have used the fact that uj is the primitive Q-th root of unity given 
by 



,2-Ki/Q 



The remaining part of the proposition is a consequence of the trigono- 
metric identity 



e w -1 



4 sin 2 



□ 



As a corollary, we have 



Corollary 1. If P is an exact divisor of Q, then 

if Py ^ mod Q 



Prob (y) 



1 if p y = mod Q 



7. A MOMENTARY DIGRESSION: CONTINUED FRACTIONS 



We digress for a moment to review the theory of continued fractions. (For 
a more in-depth explanation of the theory of continued fractions, please refer 
to § and ||.) 



Every positive rational number £ can be written as an expression in the 
form 

£ = ao H l — , 

oi H i 



a 3 + 




any- 



where ao is a non-negative integer, and where ai, ... are positive inte- 
gers. Such an expression is called a (finite, simple) continued fraction, 
and is uniquely determined by £ provided we impose the condition a at > 1. 
For typographical simplicity, we denote the above continued fraction by 



[ao, ai, . . . , ajv] 
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The continued fraction expansion of £ can be computed with the following 
recurrence relation, which always terminates if £ is rational: 



j ao = L£J 




r a n+ i = LVCnJ 




, and if £ n 7^ 0, then 


[ £n+l = ^ - O-n+1 


[ £o = £ - a 





The n-th convergent (0 < n < N) of the above continued fraction is 
defined as the rational number £ n given by 

in = [ao, a\, . . . , a n ] . 

Each convergent £ ra can be written in the form, £ n = 2a, where p n and g n 
are relatively prime integers ( gcd (p n , q n ) = 1). The integers p n and q n are 
determined by the recurrence relation 



Po 


= ao, 


Pi 


= aia + 1, 




Qo 


= 1, 


qi 


= ai, 


(?n = a n q n -\ + q n -2 . 



8. Preparation for the final part of Shor's algorithm 



Definition 2. ^For each integer a, let {a}g denote the residue of a 
modulo Q of smallest magnitude. In other words, {a}q is the unique 
integer such that 

a = {a}q mod Q 
-Q/2 < {a} Q < Q/2 



Proposition 2. Let y be an integer lying in Sq. Then 



Prob(y) > < 



i-(l-i) 2 if 0< {Py} 



Q 



<f '(1 



A) 



i 



i \ 2 



4 W Q = a - Q • roW (§) = a - Q • + § 
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Proof. We begin by noting that 
*{ p y}Q (Qo 



<5-(i-^)-(i + S)<f-(i-^)-(i + *)<§. 

where we have made use of the inequalities 

iV 2 < Q < 2N 2 and < P < N . 
It immediately follows that 



*{Py} Q Qo 
p 



Q 



< 



TT 



As a result, we can legitimately use the inequality 
4^ < sin 2 6> < 6 2 , for \0\ < | 
to simplify the expression for Prob (y). 
Thus, 



Prob (y) 



Q 



rsni-( , , - ■ | -jr+l) )+(P-r)sin 2 



> 







\ 2 

) 















p. 



4 



■ p-y q ) 



The remaining case, {Py}q = is left to the reader. 



□ 



Lemma 1. Let 

y = {y G S Q I |{Py} Q | < ^} arid Sp = {d G Sq | < d < P} . 
T/ien the map 

Y — > S P 

y i — ► d = d{y) = round (j^ ■ 
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y = y{d) = round \ — ■ d 

Hence, Y and Sp are in one-to-one correspondence. Moreover, 

{Py} Q = P-y-Q-d{y) . 



Remark 3. Moreover, the following two sets of rationals are in one-to-one 
correspondence 

d 



y_ 
Q 



yeY 



< — | < d < P 



As a result of the measurement performed in STEP 2.4, we have in our 
possession an integer y EY. We now show how y can be use to determine 
the unknown period P. 

We now need the following theorem^] from the theory of continued frac- 
tions: 

Theorem 1. Let £ be a real number, and let a and b be integers with b > 0. 
If 

1 



< 



2b 2 ' 



then the rational number a/b is a convergent of the continued fraction ex- 
pansion of 

As a corollary, we have: 



Corollary 2. // 



{Py}c 



< y ? then the rational number is a convergent 



of the continued fraction expansion of |4 . 
Proof. Since 

Py - Qd(y) = {Py} Q 



we know that 



which can be rewritten as 



\Py-Qd(y)\<-, 



V d{y) 



Q P 



< 



2Q 



5 See @, Theorem 184, Section 10.15]. 
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But, since Q > N 2 , it follows that 



V d(y) 



Q P 



1 

< 



2N 2 



Finally, since P < N (and hence < aDove theorem can be 

applied. Thus, is a convergent of the continued fraction expansion of 
* = □ 



Since ^yA is a convergent of the continued fraction expansion of it 
follows that, for some n, 

= 

where p n and q n are relatively prime positive integers given by a recurrence 
relation found in the previous subsection. So it would seem that we have 
found a way of deducing the period P from the output y of STEP 2.4, and 
so we are done. 

Not quite! 

We can determine P from the measured y produced by STEP 2.4, only if 

Pn = d(y) 

q n = P 

which is true only when d(y) and P are relatively prime. 

So what is the probability that the y £ Y produced by STEP 2.4 satisfies 
the additional condition that 

gcd(P,d(y)) = 1 ? 



Proposition 3. The probability that the random y produced by STEP 2.4 is 
such that d{y) and P are relatively prime is bounded below by the following 
expression 

Prob{y G Y | gcd(d(y),P) = 1} > -i • ^ ■ (l - ^ 

where 4>(P) denotes Euler's totient function, i.e., <p(P) is the number of 
positive integers less than P which are relatively prime to P. 



The following theorem can be found in Theorem 328, Section 18.4]: 
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Theorem 2. 

<f>(N) 



lim inf 



iV/ In In TV 



where 7 denotes Euler's constant 7 = 0.57721566490153286061 ... , and 
where e~T = 0.5614594836 .... 



As a corollary, we have: 



Corollary 3. 

Prob{y e y I gcd(%),P) = 1} > • e -^f± • (l - £ 2 

where e (P) is a monotone decreasing sequence converging to zero. In terms 
of asymptotic notation, 



Prob{y e Y | gcd(d(j/),P) = 1} = O 



1 



IglgJV 



T/jus, i/ STEP 2.4 is repeated O(lglgiV) times, then the probability of suc- 
cess is £1 (1). 

Proof. Prom the above theorem, we know that 

cP(P) 



P/ln lnP 



>e" 7 -e(P) . 



where e (P) is a monotone decreasing sequence of positive reals converging 
to zero. Thus, 

<t>{P) e~"i - e (P) e~~i - e (P) _ - e (P) > e"T - e (P) 1 



In In P ~ In In iV hi In 2 + In lg iV ~ In 2 lg lg N 

□ 



Remark 4. ^ d g ig ]y ) denotes an asymptotic lower bound. Readers not 
familiar with the big-oh 0(*) and big-omega (*) notation should refer to 
[|, Chapter 2] or [|, Chapter 2]. 
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Remark 5. For the curious reader, lower bounds LB{P) of e 7 — e(P) for 
3 < P < 841 are given in the following table: 



r 


LB{P) 


3 


0. 062 


4 


0.163 


5 


0.194 


7 


0.303 


13 


0.326 


31 


0.375 


61 


0.383 


211 


0.411 


421 


0.425 


631 


0.435 


841 


O.468 



Thus, if one wants a reasonable bound on the Prob{y G Y \ gcd(d(y),P) = 1} 
before continuing with Shor's algorithm, it would pay to first use a classical 
algorithm to verify that the period P of the randomly chosen integer m is 
not too small. 



9. The final part of Shor's algorithm 



We are now prepared to give the last step in Shor's algorithm. This step 
can be performed on a classical computer. 



Step 2.5 Compute the period P from the integer y produced by STEP 2.4. 

• Loop for each n from n = 1 Until £ n = 0. 

• — Use the recurrence relations given in subsection 13.7, to com- 

pute the p n and q n of the n-th convergent 2a f J4 . 

• — Test to see if q n = P by computing^ 



n ( m2 ) ni m ° dN ' 



where q n = ^ q n ,i^ % 1S the binary expansion of q n . 

If m qn = lmodA^, then exit with the answer P = q n , and 

proceed to Step 3. If not, then continue the loop. 



6 The indicated algorithm for computing m g ™modiV requires 0(lgq n ) arithmetic 
operations. 
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• End of Loop 



• If you happen to reach this point, you are a very unlucky quantum 
computer scientist. You must start over by returning to STEP 
2.0. But don't give up hope! The probability that the integer y 
produced by STEP 2.4 will lead to a successful completion of Step 
2.5 is bounded below by 

4 e-T-e(P) f 1 _l\ 2 0-232 / 1_\ 2 
7r 2 ln2" lglgiV V ~NJ > iglgiV ' V ~NJ ' 

provided the period P is greater than 3. [ 7 denotes Euler's 
constant.] 



10. An example of Shor's algorithm 



Let us now show how iV = 91 (= 7 • 13) can be factored using Shor's 
algorithm. 

We choose Q = 2 14 = 16384 so that N 2 < Q < 2N 2 . 



Step 1 Choose a random positive integer m, say m = 3. Since gcd(91, 3) = 1, 
we proceed to STEP 2 to find the period of the function / given by 

f(a) = 3 a mod91 
Remark 6. Unknown to us, f has period P = 6. For, 



a 01234567 
/(a) 1 3 9 27 81 61 1 3 



.'. Unknown period P = 6 



STEP 2.0 Initialize registers 1 and 2. Thus, the state of the two registers becomes: 

m = io> io> 
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STEP 2.1 1 Apply the Q-point Fourier transform T to register #1, where 

-. 16383 

716384 ^ 

and where ui is a primitive Q-th root of unity, e.g., uj = ei63S4. Thus 
the state of the two registers becomes: 

1 16383 
x=0 



STEP 2.2 | Apply the unitary transformation Uf to registers #1 and #2, where 

C7> |ar> \£) = \x) \ f{x) -I mod 91) . 
(Please note that Uj = I. ) Thus, the state of the two registers becomes: 

IV>2> = ^ Ef= 3 o 83 k)|3^mod91) 

= T/lW 1 0) ^ + 1 X) |3) + 1 2) |9) + 1 3) |27) + 1 4) |81) + 1 5) |61) 

+ | 6) |1) + | 7) |3) + | 8) |9) +| 9) \27) + |10) |81) + |11) |61) 

+ |12)|1) +|13)|3) +|14)|9) +|15)|27) + |16)|81) + |17)|61) 

+ ... 

+ |16380) |1) + |16381) |3) + (16382) (9) + (16383) (27) 



Remark 7. The state of the two registers is now more than a superposition 
of states. We have in the above step quantum entangled the two registers. 



STEP 2.3 | Apply the Q-point T again to register #1. Thus, the state of the 
system becomes: 

= T^Ef= 3 o 83 |y)Ei 6 = 3 o 83 ^|3 K mod91) 
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where 

16383 

\T(y)) = w 3 * 13* mod 91) 

x=0 

Thus, 

T(y))= |1) + w"|3)+ cj 2 ^|9) + uj^y |27) + kA|81) + w 5 » |61) 

+ w 6 f|l) + w 7 w|3) + w 8 f|9) + uj^y \27)+ uj 1Q y |81) |61) 
+ Kj 12 f|l) + w 1% |3) +w 1% |9) + w 15j/ 1 27) +to 16y |81) +w 17 f |61) 
+ ... 

+ LO W38 °y |1) + Lo 16381 y 1 3) + w 16382 f 1 9) + w 16383 f 1 27) 



STEP 2.4 | Measure RegI. The result of our measurement just happens to turn 
out to be 

y = 13453 

Unknown to us, the probability of obtaining this particular y is: 

0.3189335551 x 10~ 6 . 

Moreover, unknown to us, we're lucky! The corresponding d is relatively 
prime to P, i.e., 

P 

d = d{y) = round{— ■ y) = 5 

However, we do know that the probability of d(y) being relatively prime 
to P is greater than 

fl 232 / 1 \ 2 

' J • 1-T7 ~8.4% (provided P > 3), 



lgigiv V N 

and we also know that 

p 

is a convergent of the continued fraction expansion of 

y _ 13453 
Q ~ 16384 

So with a reasonable amount of confidence, we proceed to Step 2.5. 
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Step 2.5 Using the recurrence relations found in subsection 13.7 of this paper, 
we successively compute (beginning with n = 0) the a n 's and g n 's for 
the continued fraction expansion of 

c - y _ 13453 

Q~ 16384 ' 

For each non-trivial n in succession, we check to see if 

3 qn = 1 mod 91. 

If this is the case, then we know q n = P, and we immediately exit from 
Step 2.5 and proceed to Step 3. 

• In this example, n = and n = 1 are trivial cases. 

• For n = 2, a>2 = 4 and qi = 5 . We test c/2 by computing 



Hence, 52 / -P- 



61 / 1 mod 91 



• We proceed to n = 3, and compute 

03 = 1 and (73 = 6. 
We then test qs by computing 

3^= 3 6 =(3 2 °)°.(3 2l ) 1 .(3 2(, ) 1 = lmod91. 

Hence, q% = P. Since we now know the period P, there is no need 
to continue to compute the remaining a n 's and q n : s. We proceed 
immediately to Step 3. 

To satisfy the reader's curiosity we have listed in the table below all the 
values of a n , p n , and q n for n = 0, 1, . . . ,14. But it should be mentioned 
again that we need only to compute a n and q n for n = 0, 1, 2, 3, as indicated 
above. 



n 





1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


a n 





1 


4 


1 


1 


2 


3 


1 


1 


3 


1 


1 


1 


1 


3 


Pn 





1 


4 


5 


9 


23 


78 


101 


179 


638 


817 


1455 


2272 


3727 


13453 


Qn 


1 


1 


5 


6 


11 


28 


95 


123 


218 


777 


995 


1772 


2767 


4539 


16384 



Step 3. Since P = 6 is even, we proceed to Step 4. 
Since 



Step 4. 



3 p / 2 = 3 3 = 27 / -1 mod 91, 



we goto Step 5. 
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Step 5. With the Euclidean algorithm, we compute 

gcd (3 P/2 - 1, 9l) = gcd (3 3 - 1, 91) = gcd (26, 91) = 13 



We have succeeded in finding a non-trivial factor of N = 91, namely 
13. We exit Shor's algorithm, and proceed to celebrate! 
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